CVE-2020-26882
Description
JSON parse data amplification in Play Framework multipart/form-data handling allows denial of service against applications accepting JSON form fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JSON parse data amplification in Play Framework multipart/form-data handling allows denial of service against applications accepting JSON form fields.
Vulnerability
Overview
CVE-2020-26882 affects Play Framework versions 2.6.0 through 2.8.2. The vulnerability is a data amplification issue that occurs when an application accepts JSON input via multipart/form-data (i.e., JSON embedded as a form field). Crafted JSON payloads can cause disproportionately large memory or processing consumption, leading to a denial of service condition [1][3].
Exploitation
An attacker can send a specially crafted multipart/form-data request with a JSON field that triggers data amplification. The attack does not require authentication or any special network position; it is exploitable over the network without user interaction. The CVSS v3.1 base score is 6.7 (medium) with a vector string reflecting low complexity, no privileges required, and high availability impact [1][3].
Impact
Successful exploitation results in significant resource consumption (data amplification), potentially leading to service unavailability. The vulnerability has no direct impact on confidentiality or integrity, but the denial of service can disrupt application functionality.
Mitigation
Play Framework 2.8.3 and 2.7.6 contain fixes for this issue. Users on Play 2.6.x should upgrade to a supported version (2.7.6 or 2.8.3) as 2.6.x has reached end-of-support and will not receive a patch [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.typesafe.play:playMaven | >= 2.6.0, < 2.7.6 | 2.7.6 |
com.typesafe.play:playMaven | >= 2.8.0, < 2.8.3 | 2.8.3 |
Affected products
2- Play/Play Frameworkdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-r8rm-4hfj-2x87ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26882ghsaADVISORY
- github.com/playframework/playframework/pull/10495ghsaWEB
- www.playframework.com/security/vulnerabilitymitrex_refsource_MISC
- www.playframework.com/security/vulnerability/CVE-2020-26882-JsonParseDataAmplificationghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.